Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
04-10-2024 13:11
Static task
static1
Behavioral task
behavioral1
Sample
7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe
Resource
win7-20240903-en
General
-
Target
7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe
-
Size
1.8MB
-
MD5
08c2b2e490868981fa263c82709b2d80
-
SHA1
7d6dcc0e3ceb2437b6fdc4516196ef1355220c50
-
SHA256
7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67f
-
SHA512
50dabc7ba7432b11bcdd379a6eed458f10c646f41e7c0a7ec107aaa0c14ffe53358df75a382146c6883f07b2815cb502a0a784dcc217a00e0ac2dc0285c2f66c
-
SSDEEP
49152:myIO6XrnRNm5zuXp7jRG6wLvSpDiTEsnfDB1:XIOqrRXG6wL6U
Malware Config
Extracted
phorphiex
http://185.215.113.66/
0xAa3ea4838e8E3F6a1922c6B67E3cD6efD1ff175b
THRUoPK7oYqF7YyKZJvPYwTH35JsPZVPto
1Hw9tx4KyTq4oRoLVhPb4hjDJcLhEa4Tn6
qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
XtxFdsKkRN3oVDXtN2ipcHeNi87basT2sL
LXMNcn9D8FQKzGNLjdSyR9dEM8Rsh9NzyX
rwn7tb5KQjXEjH42GgdHWHec5PPhVgqhSH
ARML6g7zynrwUHJbFJCCzMPiysUFXYBGgQ
48jYpFT6bT8MTeph7VsyzCQeDsGHqdQNc2kUkRFJPzfRHHjarBvBtudPUtParMkDzZbYBrd3yntWBQcsnVBNeeMbN9EXifg
3PL7YCa4akNYzuScqQwiSbtTP9q9E9PLreC
3FerB8kUraAVGCVCNkgv57zTBjUGjAUkU3
D9AJWrbYsidS9rAU146ifLRu1fzX9oQYSH
t1gvVWHnjbGTsoWXEyoTFojc2GqEzBgvbEn
bnb1cgttf7t5hu7ud3c436ufhcmy59qnkd09adqczd
bc1q0fusmmgycnhsd5cadsuz2hk8d4maausjfjypqg
bitcoincash:qr89hag2967ef604ud3lw4pq8hmn69n46czwdnx3ut
GAUCC7ZBSU2KJMHXOZD6AP5LOBGKNDPCDNRYP2CO2ACR63YCSUBNT5QE
-
mutex
tre5eer
-
user_agent
Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/118.0.0.0 Safari/537.36
Signatures
-
Phorphiex payload 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\903E.exe family_phorphiex -
Processes:
sylsplvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sylsplvc.exe -
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
Processes:
903E.exesylsplvc.exe1090932699.exe3029823720.exepid process 2924 903E.exe 2768 sylsplvc.exe 1492 1090932699.exe 348 3029823720.exe -
Loads dropped DLL 4 IoCs
Processes:
7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exesylsplvc.exepid process 2156 7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe 2156 7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe 2768 sylsplvc.exe 2768 sylsplvc.exe -
Processes:
sylsplvc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiSpywareOverride = "1" sylsplvc.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusOverride = "1" sylsplvc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
903E.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sylsplvc.exe" 903E.exe -
Drops file in Windows directory 2 IoCs
Processes:
903E.exedescription ioc process File created C:\Windows\sylsplvc.exe 903E.exe File opened for modification C:\Windows\sylsplvc.exe 903E.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe903E.exesylsplvc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 903E.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sylsplvc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1090932699.exepid process 1492 1090932699.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
1090932699.exedescription pid process Token: SeDebugPrivilege 1492 1090932699.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe903E.exesylsplvc.exe1090932699.execmd.execmd.exedescription pid process target process PID 2156 wrote to memory of 2924 2156 7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe 903E.exe PID 2156 wrote to memory of 2924 2156 7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe 903E.exe PID 2156 wrote to memory of 2924 2156 7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe 903E.exe PID 2156 wrote to memory of 2924 2156 7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe 903E.exe PID 2924 wrote to memory of 2768 2924 903E.exe sylsplvc.exe PID 2924 wrote to memory of 2768 2924 903E.exe sylsplvc.exe PID 2924 wrote to memory of 2768 2924 903E.exe sylsplvc.exe PID 2924 wrote to memory of 2768 2924 903E.exe sylsplvc.exe PID 2768 wrote to memory of 1492 2768 sylsplvc.exe 1090932699.exe PID 2768 wrote to memory of 1492 2768 sylsplvc.exe 1090932699.exe PID 2768 wrote to memory of 1492 2768 sylsplvc.exe 1090932699.exe PID 2768 wrote to memory of 1492 2768 sylsplvc.exe 1090932699.exe PID 1492 wrote to memory of 628 1492 1090932699.exe cmd.exe PID 1492 wrote to memory of 628 1492 1090932699.exe cmd.exe PID 1492 wrote to memory of 628 1492 1090932699.exe cmd.exe PID 1492 wrote to memory of 2072 1492 1090932699.exe cmd.exe PID 1492 wrote to memory of 2072 1492 1090932699.exe cmd.exe PID 1492 wrote to memory of 2072 1492 1090932699.exe cmd.exe PID 628 wrote to memory of 1672 628 cmd.exe reg.exe PID 628 wrote to memory of 1672 628 cmd.exe reg.exe PID 628 wrote to memory of 1672 628 cmd.exe reg.exe PID 2072 wrote to memory of 1380 2072 cmd.exe schtasks.exe PID 2072 wrote to memory of 1380 2072 cmd.exe schtasks.exe PID 2072 wrote to memory of 1380 2072 cmd.exe schtasks.exe PID 2768 wrote to memory of 348 2768 sylsplvc.exe 3029823720.exe PID 2768 wrote to memory of 348 2768 sylsplvc.exe 3029823720.exe PID 2768 wrote to memory of 348 2768 sylsplvc.exe 3029823720.exe PID 2768 wrote to memory of 348 2768 sylsplvc.exe 3029823720.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe"C:\Users\Admin\AppData\Local\Temp\7562ef3687cfc6297be238ff05849badeabe8963c3952f1cf40b2d9dffcce67fN.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\903E.exe"C:\Users\Admin\AppData\Local\Temp\903E.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\sylsplvc.exeC:\Windows\sylsplvc.exe3⤵
- Windows security bypass
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Users\Admin\AppData\Local\Temp\1090932699.exeC:\Users\Admin\AppData\Local\Temp\1090932699.exe4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f5⤵
- Suspicious use of WriteProcessMemory
PID:628 -
C:\Windows\system32\reg.exereg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f6⤵PID:1672
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"5⤵
- Suspicious use of WriteProcessMemory
PID:2072 -
C:\Windows\system32\schtasks.exeschtasks /delete /f /tn "Windows Upgrade Manager"6⤵PID:1380
-
C:\Users\Admin\AppData\Local\Temp\3029823720.exeC:\Users\Admin\AppData\Local\Temp\3029823720.exe4⤵
- Executes dropped EXE
PID:348
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
108KB
MD51fcb78fb6cf9720e9d9494c42142d885
SHA1fef9c2e728ab9d56ce9ed28934b3182b6f1d5379
SHA25684652bb8c63ca4fd7eb7a2d6ef44029801f3057aa2961867245a3a765928dd02
SHA512cdf58e463af1784aea86995b3e5d6b07701c5c4095e30ec80cc901ffd448c6f4f714c521bf8796ffa8c47538bf8bf5351e157596efaa7ab88155d63dc33f7dc3
-
Filesize
8KB
MD5cb8420e681f68db1bad5ed24e7b22114
SHA1416fc65d538d3622f5ca71c667a11df88a927c31
SHA2565850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea
SHA512baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf
-
Filesize
15KB
MD50c37ee292fec32dba0420e6c94224e28
SHA1012cbdddaddab319a4b3ae2968b42950e929c46b
SHA256981d724feebc36777e99513dc061d1f009e589f965c920797285c46d863060d1
SHA5122b60b571c55d0441ba0cfc695f9db5cd12660ebec7effc7e893c3b7a1c6cb6149df487c31b8d748697e260cbc4af29331592b705ea9638f64a711c7a6164628b
-
Filesize
79KB
MD51e8a2ed2e3f35620fb6b8c2a782a57f3
SHA1e924ce6d147ecc8b30b7c7cad02e5c9ae09a743a
SHA2563f16f4550826076b2c8cd7b392ee649aeb06740328658a2d30c3d2002c6b7879
SHA512ce4dc7fdd7f81a7a127d650f9175292b287b4803d815d74b64a4e5125cff66224d75e7ecade1d9c0e42f870bdb49a78e9613b1a49675ab5bc098611b99b49ade